ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $address_sql used in $wpdb->get_results($address_sql)\n$address_sql assigned unsafely at line 725:\n $address_sql .= ")"\n$address_sql assigned unsafely at line 724:\n $address_sql .= ", 'shipping'"\n$address_sql assigned unsafely at line 722:\n $address_sql .= " FROM {$wpdb->prefix}wc_order_addresses WHERE order_id IN ({$fetch_order_ids_sql}) AND address_type IN ('billing'"\n$fetch_order_ids_sql assigned unsafely at line 700:\n $fetch_order_ids_sql .= implode(',', $fetch_order_ids)\n$fetch_order_ids assigned unsafely at line 697:\n $fetch_order_ids = array_splice($order_ids, 0, 256)

Unescaped parameter $get_order_statuses_sql used in $wpdb->get_results($get_order_statuses_sql)\n$get_order_statuses_sql assigned unsafely at line 1100:\n $get_order_statuses_sql .= " WHERE orders.ID IN (".implode(',', $order_ids_with_refunds).")"\n$order_ids_with_refunds assigned unsafely at line 1080:\n $order_ids_with_refunds = array_keys($refunds_data)\n$refunds_data assigned unsafely at line 1078:\n $refunds_data = $this->get_refund_report_results($start_date, $end_date, true)\n$start_date used without escaping.\n$end_date used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

European VAT Compliance Assistant for WooCommerce

woocommerce-eu-vat-compliance

issues

installs

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 1409:\n $sql = sprintf($sql, implode(',', array_keys($tax_rate_ids)))\n$sql assigned unsafely at line 1396:\n $sql = "\n\t\t\tSELECT\n\t\t\t\tTR.tax_rate_id\n\t\t\t\t,TR.tax_rate\n\t\t\t\t,TR.tax_rate_class\n\t\t\t\t,TR.tax_rate_name\n\t\t\tFROM\n\t\t\t\t".$table_prefix."woocommerce_tax_rates TR\n\t\t\tWHERE\n\t\t\t\t(TR.tax_rate_id IN (%s))\n\t\t"